WASHINGTON – President Bush’s cybersecurity czar has flatly denied that the government is considering measures to require Internet service providers to retain all e-mail transmissions traveling across their servers for surveillance purposes.
"There is no intention to do that," said Richard Clarke, special adviser for cyberspace security, when asked directly if such a plan was in play.
Not everyone is so sure, however, that data retention is off the table. Sources behind the scenes say that guidelines being drafted by the White House for cybersecurity include data retention measures similar to those passed by the European Parliament in May.
Technology groups and administration officials working on the cybersecurity plan deny that they have been working on guidelines that would impose requirements on private Internet companies to keep online correspondences.
On May 30, the European Parliament passed a resolution urging member states to create laws to require data retention from Internet service providers. Spain, Germany, France and Belgium have already followed through, passing laws that require ISPs to save everything from personal passwords, e-mail addresses and Web activity to cell phone numbers for as long as seven years in some cases.
In a visit to Washington this week, some members of the European Parliament in town to discuss Internet and government issues with U.S. officials and technology companies, expressed concern that the May vote was the first step toward a European-wide mandate, and said they hope the rumors aren't true that the United States is planning to hop on the bandwagon.
"There is a strong indication that the EU is trying to have common European-wide data retention and we don’t know what the limits will be," said Marco Cappato, a Parliament member from Italy who is still bristling after being outnumbered in his opposition to the resolution.
Internet experts say similar suggestions have been posed for the United States in the past, for instance, during discussion of Justice Department reforms outlined in the USA PATRIOT Act passed last fall. Future discussions may too include such talk.
"I wouldn't be surprised if it came up again," said Rep. Robert Goodlatte, R-Va., co-chairman of the Congressional Internet Caucus. "We have been concerned that there continues to be discussions on this."
Jerry Berman, executive director of the Center for Democracy and Technology and member of the Internet Education Foundation that co-sponsored this week's visit by the Europeans, said the debate over data retention is alive and well.
"We're expecting to fight the same fight here," Berman said of the EU resolution. "There will be strong opposition from privacy organizations. We're very concerned."
Not only are privacy issues a concern, but technology experts doubt the private sector could structurally handle the vast requirements of data retention.
Clarke's office is expected to release its National Strategy to Secure Cyberspace on Sept. 19. A comprehensive plan to protect private sector and government networks from cyber-terror attacks, the proposal, which is part of the overall homeland security effort, is being co-authored by the private sector industries it will affect, including banks and financial institutions, utilities, hospitals, higher education and technology companies, Clarke said.
"We need standards, we need benchmarks," and open lines of communication between the public and private sectors to ensure protection, he said. "Everyone today is reliant on some part of cyberspace and everyone has a positive obligation to secure their part in cyberspace.”
But while offering a grim outlook regarding the possibility of future attacks, Clarke was firm that Bush is adamant about maintaining the balance between privacy and security.
"The president feels very strongly that we do not need to erode our civil liberties," he said. "There are ways to defend against terrorism without throwing out our liberties."
Meanwhile, the House passed a measure this week 385 to 3 that would double the prison sentence to 20 years for knowingly attempting to cause serious injury through a cyber attack.
The bill, which is headed to the Senate Judiciary Committee, also allows law enforcement to initiate electronic wiretapping into online communications for 48 hours prior to getting a warrant as long as authorities can prove a national security threat or a risk of protected computers being hacked.